Update on Return of Nursing Home CON in Florida

View PDF Version Here.

AHCA announced the preliminary winners and losers in the first nursing home CON batching cycle since the Legislature lifted the moratorium in 2014. The State Agency Action Reports (“SAARs”) released on February 20 had a few surprises, but perhaps the biggest surprise is not contained within the decisions on the 102 completed CON Applications, but instead in the significant number of areas that are still left with unmet need.

While most of the talk surround nursing home CON Applications filed in this batching cycle has been about the large number of CON Applications filed, perhaps the more interesting story is that in 9 sub-districts, where there was a combined published fixed need of 365 beds, no one applied. In 13 other sub-districts, AHCA’s preliminary decisions awarded less beds than the fixed need determination calculated despite having CON Applications that would have met the need, for a combined deficit of 443 beds. For example, in Lee County, sub-district 8-5, there was fixed need for 40 beds, yet AHCA denied the only CON Application filed in that sub-district, leaving the 40 bed fixed need determination unmet.

This article focuses on the fixed need determinations by sub-district and the net surplus or deficit that would be created if AHCA’s preliminary determinations stand. Note, however, that AHCA’s preliminary determinations may be overturned by legal challenges filed before March 16, 2015, so these numbers are subject to and will almost definitely change significantly before all of the legal challenges are completed. For a more detailed discussion on the legal challenge process and timeline, see our newsletter dated February 11, 2015.

SUB-DISTRICTS WITH FIXED NEED WITHOUT A CON APPLICANT

No one applied for a nursing home CON in 9 sub-districts where there was published fixed need in the Second Batching Cycle for Other Beds and Programs 2014. The chart below shows the sub-district, counties, and fixed need that was not applied for by any nursing home provider.

Sub-district Counties Unmet Need
2-1 Gadsden, Holmes, Jackson, and Washington 56
2-3 Calhoun, Franklin, Gulf, Liberty, and Wakulla 14
3-1 Columbia, Hamilton, and Suwannee 99
3-3 Putnam 43
5-1 Pasco 67
6-4 Highlands 25
9-1 Indian River 18
9-2 Martin 37
9-3 Okeechobee 6

While it is too late for anyone to apply for a CON in these sub-districts in this batching cycle, it is extremely likely that similar fixed need will be published for these sub-districts in the next batching cycle on April 3, 2015.

SUB-DISTRICTS WHERE NEED IS GREATER THAN AHCA AWARDS

In 13 sub-districts, AHCA preliminarily awarded CONs for less beds than the current projected need. The chart below provides the sub-district, counties, and deficit between the fixed need calculations and preliminary awards.

Sub-district Counties Unmet Need
1-1 Escambia and Santa Rosa 40
3-2 Alachua, Bradford, Dixie, Gilchrist, Lafayette, Levy and Union 60
3-5 Citrus 43
3-6 Hernando 16
3-7 Lake and Sumter 25
4-3 St. Johns and south-eastern Duval 47
5-2 Pinellas 56
7-2 Orange 18
7-3 Osceola 10
7-4 Seminole 78
8-1 Charlotte 3
8-2 Collier 7
8-5 Lee 40

Any Applicant that filed a CON in the current batching cycle has the right to challenge their denial or the approval of another CON in the same sub-district prior to March 16, 2015.

SUB-DISTRICTS WHERE AHCA AWARDS EXCEEDED FIXED NEED

There were 4 sub-districts where AHCA awarded more beds than the fixed need publications showed were needed. The chart below shows the sub-district, counties, and surplus of beds over the published fixed need.

Sub-district Counties Surplus Beds
2-2 Bay 14
3-4 Marion 12
4-2 Baker, Clay, and southwestern Duval 47
6-5 Polk 51

Any Applicant that filed a CON in the current batching cycle has the right to challenge their denial or the approval of another CON Application filed in the same sub-district prior to March 16, 2015.

RIGHTS OF EXISTING PROVIDERS

Existing providers in the same district that will be substantially affected by the approval of a competing proposed facility or program can initiate or intervene in a challenge pursuant to Fla. Stat. §408.039(5)(c) (2014). Thus, by way of example, an existing provider in sub-district 6-3 can challenge a preliminary approval of a proposed provider in sub-district 6-5 because they are both in district 6. This is different from competing Applicants that must be filing in the same sub-district to prove standing. Existing providers may also intervene in legal proceedings challenging preliminary approvals after March 16, 2015, however, they do so subject to the standing of the other parties to the proceeding, as discussed in our prior newsletter on February 11, 2015. Thus, existing providers that wait until after March 16, 2015, do so at the risk that no one else challenges the preliminary approval.

AREAS RIPE FOR CHALLENGES

At this point, any area where there is a pending CON approval is an opportunity for a legal challenge. Basis for challenges are unlimited and can include any combination of factors, such as a better fit for the market, technical flaws in an application, under or over filling the gap in need demonstrated by the fixed need publication, etc. There are literally countless basis for challenging a preliminary CON approval. Notably, final hearings are de novo proceedings, meaning AHCA’s preliminary decision is not given any weight or presumption of correctness.

Without a full detailed review of all of the competing Applications within a sub-district, it’s difficult to make any specific conclusions about where successful opportunities for challenges could be found. That said, there are some sub-districts that seem to stand out in a macro-analysis shown in the chart below.

Sub-district Deficit/Surplus Reason
1-1 40 Bed Surplus Other Applicant met the published need
3-2 60 Bed Surplus Other Applicants met the published need
4-4 47 Bed Surplus Other Applicants met the published need
5-2 56 Bed Surplus Denied 56 bed Applicant
7-4 78 Bed Surplus Other Applicants met the published need
8-5 40 Bed Surplus Denied 31 bed Applicant

If these preliminary approvals are not challenged, they become final approvals and CONs will be awarded in these sub-districts.

Thus, if you are uncertain about whether you want to challenge a denial or someone else’s approval, it’s best to go ahead and file a challenge. A challenge can always be dismissed if you decide not to proceed, but if you miss the opportunity to challenge, then you may have missed the window of opportunity. That said, we have conservatively used March 16, 2015, as the deadline to file challenges throughout this article. However, there are certain facts and subsequent notice that have occurred in this batching cycle that might extend the period of time to file such challenges. Thus, if you have not decided to file a challenge until after March 16, 2015, and are just now reading this article and thinking you are too late, please contact us to discuss whether there may be additional ways to challenge a preliminary denial or approval.

CONCLUSION

February 20, 2015, held a few surprises for the bountiful field of CON Applicants, particularly that there is still a significant amount of unmet need where either no one applied for a CON or where AHCA did not award the beds to the full amount projected by the need formula. It will be interesting to see on April 3, 2015, whether AHCA again publishes similar need for these unclaimed areas, and if so, whether any CON Applicants will jump into the arena to compete for these unclaimed areas. There are also many areas of the State that are potentially subject to legal challenges to AHCA’s preliminary approvals. It will be interesting to see how many of AHCA’s preliminary decisions ultimately remain after these legal challenges are completed.

Geoffrey D. Smith is a shareholder in the law firm of Smith & Associates, and has practiced in the area of health care law and CON regulation for over 20 years.

View PDF Version Here.

HIPAA Enforcement and Compliance: What You Need to Know

View PDF Version Here.

HIPAA 101

The Health Insurance and Accountability Act of 1996 (HIPAA) is a federal law that sets forth certain requirements to be followed by healthcare providers and related entities with respect to safeguarding a patient’s privacy and security.1 HIPAA helps to ensure that all medical records, medical billing, and patient account information meet certain standards with regard to documentation, handling, and privacy. Most simply, it requires “covered entities” to protect the privacy of patient information, secure patient health information (physically and electronically), adhere to the “minimum necessary” standard for use and disclosure of patient health information, and specifies patients’ rights for access, use and disclosure of their health information.

Following the passage of HIPAA, the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act and the 2013 HHS HIPAA Final Omnibus Rule strengthened and updated the federal HIPAA privacy and security standards. Major revisions included: breach notification requirements, fine and penalty increases for privacy violations, mandating that business associates are directly liable for HIPAA compliance, patients’ right to request electronic copies of their health care records, and patients’ right to restrict disclosure to health plans for services self‐paid in full (“self‐pay restriction”).

HIPAA’s Privacy and Security Rule, along with the relatively recent revisions resulting from the 2009 HITECH Act and 2013 Final Omnibus Rule, are discussed briefly below. 2

HIPAA Privacy Rule

The HIPAA Privacy Rule, 45 CFR Parts 160-164, regulates the use and disclosure of Protected Health Information (“PHI”). Under HIPAA, a covered entity is not required to obtain consent or authorization to use or disclose PHI for treatment, payment, or health care operations.3 While the HIPAA Privacy Rule does not require an individual’s consent or authorization for the use or disclosure of PHI for treatment, payment, or health care operations, Florida Statutes imposes a more stringent standard for the use or disclosure of patient information, and requires a written authorization for disclosures other than for treatment purposes, except under certain enumerated circumstances.4
When the use or disclosure of PHI is not related to treatment, payment, or health care operations, HIPAA requires a written valid authorization, except under certain enumerated exceptions.5 In order for the authorization to be valid, certain requirements outlined in HIPAA must be met.6 The HIPAA Privacy Rule contains several key definitions, listed below:
Business Associate: A person, other than a member of the covered entity’s workforce, that, with respect to a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information.7

Covered Entity: A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction subject to the privacy rule.8

Protected Health Information (PHI): Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.9 PHI is information related to a patient’s past, present, or future physical and/or mental health condition. It includes, but is not limited to, the following information when it is maintained by a healthcare covered entity in order to conduct healthcare treatment, payment, or operations: name, address, birthdate, telephone number, email address, social security number, medical record number, account number, certificate/license number, and several other types of information collected and used by healthcare providers. PHI includes health information about individuals who have been deceased less than 50 years.

Minimum Necessary: When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The minimum necessary requirement does not apply to disclosures to a health care provider for treatment.10

HIPAA Security Rule

The HIPAA’s Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form.11 The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. While the Privacy Rule concerns those who can have access to PHI, the Security Rule’s focus is on ensuring that only those who are entitled to access electronic protected health information (ePHI) gain access to ePHI.

The HIPAA Security Rule applies to covered entities and business associates, as defined above. While the Privacy Rule protects the privacy of PHI, the Security Rule protects PHI that a covered entity creates, receives, maintains or transmits in electronic format. The Security Rule does not apply to PHI transmitted orally or in writing, only electronic PHI.12

The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. The Rule does not dictate which security measures a covered entity or business associate must use, but requires that they take into account: their size, complexity, and capabilities; their technical, hardware and software infrastructure; the costs of security measures; and the likelihood and possible impact of potential risks to e-PHI.13 Covered entities must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule, and must periodically review and update its documentation.

Breach Notification Requirements

The HIPAA Security Rule requires covered entities to notify individuals, the Secretary of HHS under certain circumstances, and in some cases, the media, regarding breaches of unsecured protected health information.14  Once a covered entity discovers a breach of unsecured PHI, both Florida law and HIPAA require notification to the individual “without unreasonable delay.”

Under HIPAA’s Security Rule, the outside time limit for individual notification is 60 calendar days, while under the Florida Information Protection Act (FIPA), the outer time limit for notification is 30 days.15 As Florida’s law is more stringent, covered entities should be sure to comply with the shorter timeframe specified in Florida statutes. Additionally, business associates are required to notify covered entities of a breach of unsecured PHI.16
Enforcement Overview

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing HIPAA’s Privacy and Security Rules. OCR enforces the Privacy and Security Rules by investigating complaints and conducting compliance reviews to determine if covered entities are in compliance.

If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity will present information about the incident(s) described in the complaint. Covered entities are required by law to cooperate with complaint investigations.

If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.

OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining: voluntary compliance; corrective action; and/or a resolution agreement.

If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.17

Potential Fines

Failure to comply with HIPAA can result in civil and criminal penalties.

Civil Penalties18
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see chart below).19  The Secretary of the Department of Health and Human Services (HHS) has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.20 If the covered entity or business associate does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty. Timely correction is an affirmative defense.21

HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million per identical violation per year
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million per identical violation per year
HIPAA violation due to willful neglect but violation is corrected within the 30 day required timeframe $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million per identical violation per year
HIPAA violation is due to willful neglect and is not corrected within the 30 day required timeframe $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million per identical violation per year

Criminal Penalties22
Covered entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of HIPAA may be fined up to $50,000, as well as face imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.23

Covered Entity and Specified Individuals

The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.24

Recent HIPAA Violations

Anthem Health Insurance Breached Again

In February 2015, Anthem Health Insurance, the nation’s second largest health insurance company, reported what is likely the largest health care related breach of HIPAA data to date. The breach involved an estimated 80 million Anthem customers, and Anthem is potentially liable for up to $1.5 million for the breach under HHS rules.25 The two largest health care breaches to date have been Tricare in 2011, which affected 4.9 million individuals, and Community Hospital Systems in 2014, which involved data from 4.8 million individuals.26

According to an Anthem official statement, while there was no evidence that medical information was compromised, the attackers gained access to Anthem’s IT system and have obtained information from members such as names, medical IDs/SSN, mailing and email addresses.27 For this to be considered a HIPAA breach, Protected Health Information (PHI) as defined by HIPAA and HITECH Security Rules would have to be involved. A person’s name, address and SSN (identifiers confirmed as part of the Anthem breach) are included within the types of data that comprise PHI, as articulated above.

This is not the first time that Anthem’s security was breached resulting in HIPAA violations. Anthem recently agreed to pay HHS $1.7 million to settle an investigation into a separate computer breach that occurred in 2010 and resulted in the disclosure of personal information of approximately 612,000 people.28 (At the time of the breach, Anthem was known as WellPoint). The HHS found that in 2009 and 2010, WellPoint did not adequately implement policies and procedures to protect unsecured “electronic protected health information” covered by HIPAA, and as a result, names, dates of birth, addresses, Social Security numbers and health information of over 600,000 WellPoint customers was disclosed.29 According to HHS, the personally identifiable information that HIPAA-covered health plans maintain on enrollees and members, including names and Social Security numbers, is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed.30
Other Recent HIPAA Enforcement Actions and Resolutions

The Office for Civil Rights, the HHS division responsible for enforcing HIPAA, has levied more than $25.1 million in fines against healthcare organizations responsible for violating the privacy and security rules.31  To date, HHS has resolved 21 cases that resulted from breach reports of electronic protected health information. A few of these are highlighted below. For a more comprehensive accounting, please see: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

$150,000 HIPAA Settlement Involving Anchorage Community Mental Health Services (ACMHS) (December 2014): Under the settlement agreement, ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. OCR opened its investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/acmhsbulletin.pdf.

$800,000 HIPAA Settlement Involving Parkview Health System, Inc. (June 23, 2014): Under the settlement, Parkview agreed to pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program.  OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule.  Parkview employees left 71 cardboard boxes of medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home. In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR. http://www.hhs.gov/news/press/2014pres/06/20140623a.html.

$4.8 million HIPAA Settlement Involving New York Presbyterian Hospital and Columbia University (May 2014): Two health care organizations settled charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date. OCR initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  http://www.hhs.gov/news/press/2014pres/05/20140507b.html.

$1.7 Million HIPAA Settlement Involving Concentra Health Services (April 2014): OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.  OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ePHI was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and to adopt a corrective action plan.  
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.

What To Do If You Become Aware of a HIPAA Breach?

Covered entities must provide a process for individuals to make complaints and document all such complaints.32 Additionally, covered entities may not take any retaliatory actions against anyone making a complaint.

If a breach of unsecured protected health information poses a risk of significant financial, reputational or other harm to the patient, business associates must promptly report the breach to covered entities, and covered entities must notify the patient without unreasonable delay, and no later than within 60 days under HIPAA33, or 30 days under FIPA. If the breach involves fewer than 500 persons, the covered entity must notify HHS by filing an electronic report no later than 60 days after the end of the calendar year.34 If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the patient.35 The written notice to the patient must satisfy regulatory requirements.36 Documenting proper actions will help you defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.37

Understanding the HIPAA Complaint Process and Compliance Reviews

It is important that covered entities have a working knowledge of the complaint, investigation, and enforcement process in order to ensure HIPAA compliance.38

The Complaint

Any person who believes that a covered entity or business associate is not complying with HIPAA has the right to file a complaint with HHS.39  The complaint must name the provider who allegedly violated HIPAA and describe the acts or omissions that are believed to have violated HIPAA.  The statute of limitations time period for filing complaints is 180 days after the date when the complainant knew or should have known that the act or omission occurred, but this time limit can be waived for good cause.40

Investigating Complaints

If HHS accepts a complaint for investigation, it will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity will have the opportunity to present information about the incident described in the complaint. HHS has the authority to subpoena witnesses and documents as part of its investigation. The investigation may include a review of the covered entity’s policies, procedures, or practices.41

Once HHS has completed its investigation, one of three things may occur. The first thing that may occur is that HHS may close the case in favor of the covered entity because it determines that the covered entity did not violate HIPAA. HHS will inform the covered entity and the complainant of its determination.42

Assuming HHS finds that a covered entity has violated HIPAA, HHS will attempt to resolve the matter informally, which could include such things as demonstrated compliance, a completed corrective action plan, or other resolution agreement.43

If the complaint is not resolved by informal means, the HHS will inform the covered entity and will allow the covered entity to submit written evidence of any mitigating factors or affirmative defenses.44  Mitigating factors are things such as the nature of the violation; the circumstances surrounding the violation; the degree of culpability of the covered entity; a history of compliance; and, the financial condition of the covered entity. Affirmative defenses would include circumstances that made it unreasonable for the covered entity, despite exercising ordinary care and prudence, to comply with HIPPA.45 After considering any mitigating factors and/or affirmative defenses, if HHS finds that a civil money penalty should be imposed, it will inform the covered entity or business associate of such finding in a notice of proposed determination.46

Compliance Reviews

In addition, HHS may conduct compliance reviews to determine whether a covered entity or business associate is complying with HIPAA.47 HHS may initiate these reviews when it becomes aware of possible violations of HIPAA by a covered entity.

How to Protect Yourself and Avoid Penalties

Cyber attacks on health care organizations increased 100 percent between 2009 and 2013, and about 40 percent of health care organizations reported facing criminal cyberattacks in 2013.48 The FBI released a warning to the health care sector in April 2014, advising health care providers that their cybersecurity systems lagged behind protections in the retail and financial sectors, leaving them vulnerable to attacks by hackers.49

Healthcare organizations should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. Such an assessment will examine the risks of a breach and provide recommendations on how to minimize risks. Every health care organization should protect its sensitive data by doing the following:

  • Perform a security risk analysis yearly to discover security vulnerabilities
  • Keep hardware and software updated with current security patches
  • Determine whether the use of encryption technology is reasonable and appropriate, and if so, deploy encryption technology
  • Perform routine audits of access to information

Additionally, it is important that every organization engage in a full compliance review of policies, forms, and procedures on an annual basis with health care regulatory counsel to ensure HIPAA compliance. All “covered entities” and “business associates” were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013. All covered entities must have documented policies and procedures regarding HIPAA compliance. Additionally, HIPAA compliance requires staff privacy and security training on a regular basis.

As discussed above, HIPAA compliance is mandatory and fines for breach are hefty. HIPAA regulatory counsel can help to ensure HIPAA compliance by reviewing, revising, and updating internal HIPAA policies and procedures, and tailoring such policies and procedures to the specific health care entity.

At a minimum, to avoid HIPAA penalties, health care providers and business associates should:

  • Designate HIPAA Privacy and Security Officers. Covered entities must designate privacy and security officers responsible for ensuring HIPAA compliance. These individuals, among other things, will be responsible for the development and implementation of policies and procedures and for receiving HIPAA complaints. The designations must be documented in writing.50 
  • Provide Appropriate Training to Employees and Agents.  Covered entities and business associates must train their employees to comply with HIPAA policies and procedures, and all trainings should be documented in order to avoid/minimize HIPAA penalties.51
  • Ensure Compliance with Authorization, Use, and Disclosure Rules. As discussed above, covered entities and business associates may not use, access, or disclose protected health information without the patient’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception.52  Authorization is not required under HIPAA to carry out treatment, payment, or health care operations, however Florida Statutes requires a more stringent standard in some circumstances, and a covered entity would be required to adhere to both.
  • Know Patients’ Rights. Covered entities and business associates must understand and adhere to HIPAA’s patients’ rights.53
  • Maintain HIPAA Compliant Written Policies and Forms.  Covered entities and business associates must develop and maintain written policies that implement the privacy and security rule requirements, including those dealing with confidentiality and patients’ rights.54
  • Execute Compliant Business Associate Agreements. HIPAA requires covered entities to execute “business associate agreements” with their business associates before disclosing protected health information to the business associate. To avoid liability for the business associate’s actions, covered entities must ensure that their agreements specify that the business associate is an independent contractor and not an agent of the covered entity.
  • Implement Appropriate Safeguards for PHI and ePHI. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.55 The security rule contains detailed regulations concerning safeguards that must be implemented to protect electronic health information.56 
  • Respond Immediately to Any Breach. HIPAA requires covered entities and business associates to investigate any privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.57 A covered entity or business associate can avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.

      • Geoffrey D. Smith is a shareholder in the law firm of Smith & Associates, and has practiced in the area of health care law for over 20 years.

      View PDF Version Here.

      1 See Pub.L. No. 104-191, 110 Stat.1936 (1996) (codified at 42 U.S.C. § 1320d-d8), commonly referred to as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
      2 For additional information on HIPAA Privacy and Security Rules, see http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html and http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
      3 45 C.F.R. §164.502.
      4 § 456.057(7)(a), Florida Statutes. While beyond the scope of this article, it is imperative that covered entities familiarize themselves and comply with the more stringent Florida statutes governing patient privacy and security, and the recently enacted Florida Information Protection Act of 2014 (FIPA), which took effect July 1, 2014.
      5 45 C.F.R. §164.508.
      6 45 C.F.R. §§164.508, .512.
      7 45 C.F.R. §160.103.
      8 45 C.F.R. §160.103.
      9 45 C.F.R. §160.103.
      10 45 C.F.R. §164.502(b).
      11 http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html.
      12 http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html.
      13 45 C.F.R. §164.306(b)(2).
      14 45 C.F.R. §§164.404, 164.406, 164.408.
      15 Florida Information Protection Act (FIPA); Fla. Stat. §501.171.
      16 45 C.F.R. §§164.410.
      17 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html.
      18 45 C.F.R. §160.404.
      19 See http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page.
      20 Id.
      21 45 C.F.R. §160.410.
      22 42. U.S.C. §1320d-6.
      23 Id.
      24 See http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page.
      25 http://www.usatoday.com/story/tech/2015/02/05/anthem-health-care-computer-security-breach-fine-17-million/22931345/.
      26 http://www.usatoday.com/story/tech/2015/02/05/anthem-health-care-computer-security-breach-fine-17-million/22931345/.
      27 Id.
      28 http://www.usatoday.com/story/tech/2015/02/05/anthem-health-care-computer-security-breach-fine-17-million/22931345/
      29 Id.
      30 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html
      31 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html
      32 45 C.F.R. §164.530.
      33 45 C.F.R. §164.404.
      34 45 C.F.R. §164.408(c).
      35 45 C.F.R. §164.408(b).
      36 45 C.F.R. §164.404.
      37 45 C.F.R. §164.530(j).
      38 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html
      39 45 C.F.R. §160.306(a).
      40 45 C.F.R. §160.306(b)(3).
      41 45 C.F.R. §160.306.
      42 45 C.F.R. §160.312(b)
      43 45 C.F.R. §160.312(a).
      44 45 C.F.R. §160.312(a).
      45 45 C.F.R. §160.410.
      46 45 C.F.R. §160.312.
      47 45 C.F.R. §160.308.
      48 http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/05/why-hackers-are-targeting-the-medical-sector/?hpid=z1.
      49 Id.
      50 45 C.F.R. §164.530(a).
      51 45 C.F.R. §164.530(b).
      52 45 C.F.R. §164.502.
      53 45 C.F.R. §§164.524, .526, .528.
      54 45 C.F.R. §164.316.
      55 45 C.F.R. §164.530(c).
      56 45 C.F.R. §164.308.
      57 45 C.F.R. §164.530.

    Smith & Associates Lobby for ALF Changes

    Watch Smith & Associates’ attorneys Geoff Smith and Susan Smith lobby the Florida Legislature for changes in the Nursing Home CON laws here. (Smith & Associates start at the 1:39 mark).

    Currently, the CON rules, as they are applied to Nursing Homes, allow for one nursing home to obtain and hold a monopoly in a district. This leads to fewer options for nursing home patients. Smith & Associates is lobbying the Florida Legislature to change this law to protect nursing home patients.

    Update on Return of Nursing Home CON in Florida

    View PDF Version Here.

    AHCA will be releasing its State Agency Action Reports (“SAARs”) on February 20, 2015, announcing the preliminary decisions for approvals and denials of the 104 CON Applications filed in the first batching cycle since the Legislature lifted the moratorium on new nursing homes in Florida. But what happens next? What do you do if you don’t agree with AHCA’s preliminary decisions? Who has standing to challenge the decision if your CON has been preliminarily approved? This article will provide a basic overview of Fla. Stat. §120.569 and §120.57 (2014), including the timing of challenges, the basic laws regarding standing to bring a challenge, and an overview of the administrative process should you wish to file a challenge or find yourself defending against a challenge.

    NOTIFICATION OF DECISIONS

    AHCA notifies CON Applicants of its preliminary decisions by releasing SAARs for each subdistrict where there was one or more CON Applications filed. The SAARs contain an assessment of each Applicant’s proposal, and a determination ultimately of which applicant or applicants best meets the statutory and rule review criteria. There is no fixed weight applied to any criteria, and the analysis by AHCA involves a weighing and balancing of all the review criteria.

    There are four ways to access SAARs. First, there is a link from AHCA’s home page where all of the SAARs will be posted on February 20, 2015: http://www.fdhc.state.fl.us/MCHQ/CON_FA/Batching/applications.shtml. Sometimes, it can be later in the afternoon before the SAARs are actually posted. Second, any person or company can sign up to be added to AHCA’s email notification list for all CON batching cycle public notices, which includes the notification of the preliminary decisions on CON Applications. Third, AHCA directly contacts CON Applicants via the information provided in the initial CON Applications. Finally, within a few days of the decisions being announced, AHCA will publish formal Notices of Decisions in the Florida Administrative Register (“FAR”).

    DECISIONS AFFECTING SUBSTANTIAL INTERESTS

    Anytime AHCA makes a decision affecting substantial interests, AHCA must provide a “point of entry” for challenging the decision in an administrative trial. The “point of entry” explains when, where, and how the affected person or entity can challenge AHCA’s preliminary decision. Pursuant to Rule 59C-1.012 within 21 days after publication of the Notice of Intent in the FAR, a CON Applicant can request an administrative hearing to challenge the decision. The failure to timely file a proper request for administrative hearing challenging the denial of a CON Application shall result in the denial becoming final.

    If a valid request for an administrative hearing is timely filed by a denied competing CON Applicant, a granted CON Applicant in the same sub-district shall have 10 days from the Notice of Litigation being published in the FAR to file a Petition challenging any or all other co-batched CON Applications.

    Nursing home CON Applicants can only challenge other Applications that were comparatively reviewed for the same services in the same sub-district. Existing providers in the same district that will be substantially affected by the approval of a competing proposed facility or program can initiate or intervene in a challenge pursuant to Fla. Stat. §408.039(5)(c) (2014). Thus, existing providers are given a wider geographic area to be allowed to challenge a CON than competing CON Applicants.

    An existing provider that intervenes within 21 days of the publication of the Notice of Decisions has full party status; however, an intervenor that does not intervene within 21 days is only granted status that is contingent upon the standing of the other parties to the litigation. This comes into play where there is a problem with the original parties’ standing, where the original parties decide to dismiss their challenge, or where the original parties resolved certain substantive issues in the case, through stipulations or otherwise, before the intervenor came into the case. It is often said that unless an existing provider files a Petition with 21 days of the FAR Notice of Decisions, the intervenor takes the case as they find it and is at the mercy of the original parties when it comes to maintaining standing.

    FILING A PETITION

    Petitions are filed at AHCA. Sometimes, inexperienced attorneys inadvertently file at the Division of Administrative Hearings (“DOAH”), which could raise jurisdictional issues if there is inadequate time to correct the error prior to the 21 day deadline.

    Petitions must comply with the uniform rules of procedure under §120.54 (5)(b), including at least the following:

    1. Identify the Petitioner;
    2. State when and how the Petitioner learned of the decision;
    3. Explain how the Petitioner’s substantial Interest are affected by the proposed action;
    4. A statement of all material disputed facts;
    5. A statement of the ultimate facts that warrant the reversal of the decision;
    6. A statement of the rules or statutes that require a reversal or modification of the decision; and
    7. A statement of the relief sought.

    FORMAL ADMINISTRATIVE HEARINGS

    If timely Petitions are filed meeting all of the required substantive criteria, AHCA refers the cases to DOAH for assignment of an Administrative Law Judge (“ALJ”) to review the decisions being challenged. This hearing is considered a “de novo” proceeding, which means that the ALJ should not be influenced by AHCA’s preliminary decision set forth in the SAAR—and the SAAR is “not clothed with a presumption of correctness.” That said, statistically, AHCA preliminary decisions are more frequently upheld than overturned by the ALJs. Perhaps that is because AHCA becomes a party in the proceeding and typically presents expert witnesses to support its rationale for why it’s preliminary determination was correct. That said, there are a significant number of cases where AHCA’s preliminary decision to approve or deny a CON has been decided differently by the ALJ and AHCA has issued a Final Order upholding the ALJ’s determination.

    An administrative hearing is similar to a civil court trial, with slightly relaxed rules of evidence. Parties conduct written discovery, and pre-trial depositions of witnesses. The parties then present their case through expert testimony, lay witness testimony, and submission of documentary evidence. There is an opening statement, direct examination and cross-examination of witnesses by attorneys, and legal arguments over admissibility of evidence.

    One of the most common arguments in CON cases concerns whether the evidence being presented amounts to an “impermissible amendment” of a CON Application. By Rule and established case law, a CON Applicant cannot amend its Application to include new concepts or theories for approval that were not set forth in the CON Application. However, an Applicant may introduce new evidence, new or updated data, and testimony that elaborates and explains concepts or theories that were included in the CON Application.

    By statute, a party requesting a hearing has a right to demand that the hearing be commenced within 60 days of assignment to an ALJ. As a practical matter, most hearings are not done on this expedited schedule. It is not unusual for the hearing process to take 4-6 months or longer. Hearings typically last about 2-3 days for each party involved. In multi-party proceedings a final hearing may last 3-4 weeks. Virtually all CON final hearings are held in Tallahassee.

    Upon conclusion of a formal hearing, the parties are required to submit a Proposed Recommended Order (“PRO”) for the ALJ’s review and consideration. This is typically filed 30 days or so after the final hearing. The PRO includes proposed Findings of Fact as well as proposed Conclusions of Law. By Rule a PRO is supposed to be no longer than 40 pages, but is not unusual for an ALJ to expand the number of pages to 60 or 80 pages depending on the number of parties involved. The ALJ reviews all PROs submitted by the parties and then issues a decision in a Recommended Order.

    EXCEPTIONS AND THE FINAL ORDER

    Once the ALJ issues a Recommended Order, the case is remanded back to AHCA for issuance of a Final Order. Parties may file exceptions to the Recommended Order to explain why the ALJ’s decision is in error. In issuing a Final Order, AHCA may not reject an ALJ’s findings of fact, unless the Agency reviews the entire record, and finds that there is no “competent, substantial evidence” to support a specific finding. It is not the role of AHCA to reweigh the evidence, or judge the credibility of witnesses, or to substitute its balancing of the evidence for that of the ALJ. As to Conclusions of Law, AHCA cannot disturb a conclusion unless it is on a legal matter that is within AHCA’s expertise and jurisdiction (e.g., its governing statute and rules) and AHCA must state with particularity its reasons for rejecting or modifying the conclusion of the ALJ, and must make a finding that its substituted or modified conclusion of law is as or more reasonable than the ALJ’s conclusion.

    The issuance of a Final Order by AHCA is the end of the formal hearing process, and unless a judicial appeal is taken, the CONs will be issued or denied as set forth in the Final Order.

    FURTHER APPEALS

    A party may appeal the Final Order to a District Court of Appeal. This appeal is limited only to a review of the record by a three judge panel based upon legal arguments submitted by the parties’ attorneys in legal briefs.

    CONCLUSION

    February 20, 2015, will be a historic date for nursing homes in Florida. No doubt there will be numerous preliminary approvals and numerous disappointed CON Applicants. The CON process also includes protections for those with existing operations that could be adversely impacted by a CON being issued to another facility. Thus, whether you are seeking approval for new a nursing home or are simply seeking to protect your existing operation, it’s important to stay engaged in the process and know your rights.

    A nursing home wishing to compete in this batching cycle needs to begin preparing now. If you need help competing in this upcoming batching cycle, contact the experienced counsel at Smith & Associates.

    Geoffrey D. Smith is a shareholder in the law firm of Smith & Associates, and has practiced in the area of health care law and CON regulation for over 20 years.

    View PDF Version Here.

    Nursing Home CON Update

    The State Agency Action Reports (SAARs) for the latest CON batching cycle are scheduled to be released on 2/20/15. After that date, applicants that wish to challenge the Agency’s findings have only 21 days to file a Petition for Formal Administrative Hearing. These dates are very important and failure to meet the deadlines may forfeit your rights. To see a full explanation of the CON Batching Cycle, read “Nursing Home CON Batching Cycle Rapidly Approaching”. If you need help or have questions about the upcoming deadlines, please contact us here at Smith & Associates. Our attorneys are dedicated professionals with decades of experience in health care and CON law.

    Employer Liability Under the FLSA

    If your company has received a demand letter or a complaint alleging Fair Labor Standards Act (“FLSA”) violations, it needs to act quickly to protect itself and its rights.

    • Institute a Litigation Hold: Once your business becomes aware that there is or may be a lawsuit against it, it has a duty to protect the relevant records. Failure to do so may lead to sanctions from the Court which could include the entry of a default judgment for the employee.
    • Compile Timekeeping Records: It will come down to you, the employer, to ultimately produce records to show that there was no FLSA violation. Getting these records in order soon can cut down on litigation time and costs.
    • Don’t Retaliate: If the person bringing the claim is still employed with you, do not fire, demote, or otherwise retaliate against him or her. This can result in additional claims and damages.
    • Timely Respond: Ensure that you timely respond to all due dates. Failure to timely respond to the complaint can lead to a default judgment in favor of the employee.

        • Hire an Experienced Attorney
        If the employee prevails in the lawsuit, the FLSA provides that the employer must pay for the employee’s attorney fees. So, if you are thinking of saving money by not hiring an attorney, you may end up paying for one anyway—the employee’s. FLSA litigation can be complex, involving not just the statute, but rules from the Department of Labor and case law. Navigating through FLSA litigation requires an attorney who understands these details and will vigorously defend your business against these claims. At Smith & Associates, we understand employment litigation and are committed to providing you with the quality representation you deserve.

        At Smith & Associates, we provide all aspects of Employment Related Legal Representation to Employers including:Compliance Review, Litigation, Appeals, Employment Contracts,Handbook and Policy Drafting, and Unemployment Appeals. If you need held with employment related law issues, contact us for a free consultation.

    New Sterile Compounding Law to Tighten Florida’s Borders

    View PDF Version Here.

    Beginning October 1, 2014, nonresident pharmacies and outsourcing facilities that wish to ship, mail, deliver or dispense any compounded sterile pharmaceutical drug or product into Florida will need a Nonresident Sterile Compounding Permit (NSCP) from the Florida Board of Pharmacy in addition to a Nonresident Pharmacy Permit. Previously, such nonresident pharmacies shipping compounded sterile pharmaceuticals were only required to have a Nonresident Pharmacy Permit.

    A “compounded sterile product” is defined by statute as a drug that is intended for parenteral administration (e.g., intravenous), an ophthalmic or oral inhalation drug in aqueous format, or a drug or product that is required to be sterile under federal or state law or rule, which is produced through compounding, but is not approved by the U.S. Food and Drug Administration. Section 465.003(20), Florida Statutes. “Compounding” means the combining, mixing, or altering of ingredients of one or more drugs or products to create another drug or product. Section 465.003(18), Florida Statutes.

    The new law, codified as section 465.0158, Florida Statutes, was enacted during the last legislative session in response to a national outbreak of fungal meningitis in 2012 that killed 64 people. Seven of the victims were in Florida. According to the Centers for Disease and Control, eight clinics in Florida received contaminated medications from unregulated, nonresident pharmacies. A bill to create tighter controls was first drafted in 2013, but was not passed into law by the Florida Legislature until the last legislative session.

    The new law provides additional time to previously licensed nonresident pharmacies so they can continue doing business with Florida until a NSCP is issued. If a nonresident pharmacy was registered pursuant to section 465.0156, Florida Statutes, before October 1, 2014, then the pharmacy may continue to ship, mail, deliver or dispense a compounded sterile product into Florida without a NSCP until February 28, 2015, provided the pharmacy meets the following conditions outlined in section 465. 0158(6), F. S.:

    1. The compounded sterile product meets or exceeds the standards for sterile compounding in Florida;
    2. The product is not compounded in violation of any law or rule of the state, territory or district where the pharmacy is located; and
    3. The pharmacy is issued the new NSCP permit on or before February 28, 2015.

    According to the Florida Board of Pharmacy website, NSCP applications must be received by January 15, 2015, to ensure a NSCP is issued prior to the February 28, 2015 deadline. Please note that nonresident pharmacies that became registered per section 465.0156, F. S., on or after October 1, 2014, may not enjoy the benefits of continued shipments to Florida through February 28, 2015, without a NSCP.

    NSCP Licensure Requirements

    To obtain a NSCP, a completed Nonresident Sterile Compounding Application (Form DH5003-MQA-9/14) and initial filing fee of $255 must be submitted to the Florida Board of Pharmacy along with the following documentation:

    1. Proof of registration as an “outsourcing facility” with the U.S. Department of Health and Human Services, if applicant meets the definition of an outsourcing facility as defined below;
    2. Proof of registration as a Nonresident Pharmacy pursuant to 465.0156, if applicant is a pharmacy;
    3. Written attestation by an owner or officer of the applicant, and by the applicant’s prescription department manager or pharmacist in charge that:
      • The attestor has read and understands the laws and rules for sterile compounding in Florida;
      • The compounded sterile product being shipped, mailed or delivered into Florida meets or exceeds Florida’s standards for sterile compounding; and
      • The compounded sterile product being shipped, mailed or delivered into Florida is not compounded in violation of the laws and rules of the state, territory or district in which the applicant is located.
    4. The applicant’s policies and procedures, which must comply with all pharmaceutical standards in Chapter 797 of the U.S. Pharmacopoeia and either the Florida Board of Pharmacy rules for sterile compounding or good manufacturing practices for an outsourcing facility.
    5. An inspection report from the regulatory or licensing agency in the state where applicant is located or, if such a report cannot be obtained, then an inspection report from a board-approved entity.

    The new law will also require all nonresident outsourcing facilities to obtain a Nonresident Sterile Compounding Permit. Outsourcing facilities must obtain this new permit in addition to being registered with the Food and Drug Administration. According to section 465.003(19), Florida Statutes, an “Outsourcing facility” means a single physical location registered as an outsourcing facility under the federal Drug Quality and Security Act, Pub. L. No. 113-54, at which sterile compounding of a drug or product is conducted.

    The Board of Pharmacy is authorized to discipline any pharmacy or outsourcing facility for failure to comply with the new NSCP law. Discipline may include any of the following: permit denial, revocation or suspension, fine and reprimand.

    Please contact our office if you have any questions about the new Nonresident Sterile Compounding Permit or for assistance with any matter before the Florida Board of Pharmacy.

    Corinne T. Porcher is a shareholder in the law firm of Smith & Associates, and has practiced in the area of health care law for over 7 years.

    View PDF Version Here.

    The Waiting is Over – Nursing Home Need Projections Show Need in 31 Subdistricts

    View PDF Version here.

    The waiting is over. The official AHCA Fixed Need Pool projections have been released. Positive bed need is shown in 31 nursing home subdistricts. This includes the following subdistricts with a projected Need in excess of 200 beds: Subdistrict 3-2 (Alachua, Bradford, Dixie, Gilchrist, Lafeyette, Levy and Union counties); Subdistrict 3-7 (Lake and Sumter counties); Subdistrict 6-5 (Polk County); Subdistrict 7-2 (Orange County). There are an additional 10 subdistricts with projected Need in excess of 100 beds. Below is a complete listing of all subdistricts with the projected Need:

    Community Nursing Home Bed Need

    District 1
    Subdistrict 1 160
    Subdistrict 2 0
    Subdistrict 3 0
    District 2
    Subdistrict 1 56
    Subdistrict 2 63
    Subdistrict 3 14
    Subdistrict 4 86
    Subdistrict 5 19
    District 3
    Subdistrict 1 99
    Subdistrict 2 227
    Subdistrict 3 43
    Subdistrict 4 140
    Subdistrict 5 65
    Subdistrict 6 66
    Subdistrict 7 205
    District 4
    Subdistrict 1 111
    Subdistrict 2 170
    Subdistrict 3 167
    Subdistrict 4 0
    District 5
    Subdistrict 1 67
    Subdistrict 2 89
    District 6
    Subdistrict 1 110
    Subdistrict 2 0
    Subdistrict 3 0
    Subdistrict 4 25
    Subdistrict 5 203
    District 7
    Subdistrict 1 131
    Subdistrict 2 218
    Subdistrict 3 130
    Subdistrict 4 122
    District 8
    Subdistrict 1 23
    Subdistrict 2 37
    Subdistrict 3 0
    Subdistrict 4 0
    Subdistrict 5 40
    Subdistrict 6 0
    District 9
    Subdistrict 1 18
    Subdistrict 2 37
    Subdistrict 3 6
    Subdistrict 4 0
    Subdistrict 5 0
    District 11
    Subdistrict 1 168
    Subdistrict 2 0

    Geoffrey D. Smith is a shareholder in the law firm of Smith & Associates, and has practiced in the area of health care law and CON regulation for over 20 years.

    View PDF Version here.

    Software Licensing and Enforcement

    Software is rarely sold anymore, it is usually licensed. These licenses restrict how the software can be used and if the software can be resold. Even open source licenses, which convey rights to the users instead of take them away, have conditions on how the software can be used. When considering what to include in a software license or which open source license to use, it is important to consider how software licenses are enforced and what terms you want in your license.

    License Terms vs. Covenant Terms

    The enforceability of the license depends on what clause in the license is being breached and what remedy the developer is seeking. When someone breaches a copyright license, the courts look to the term that was breached to determine if it limited the scope of the license or if it was a mere covenant in the contract. For example, if the term limited the distribution method of the code, it would most likely be considered to be restricting the scope of the license. However, if the term involved how warranty claims were to be submitted, it would most likely be considered a mere covenant.

    If the term being breached is considered a mere covenant, the remedies available are the traditional breach of contract remedies. While there are many of these remedies, for the most part this means that the remedy will be actual damages – how much money was actually lost because of the breach. This is not very easy to determine as the amount must be proven by evidence. For example, terms regarding the warranty of the software are usually considered covenants.

    If the term being breached is limiting the license, then the breach is considered copyright infringement. This has advantages over a breach of contract action. The most important being that if the copyright was registered with the Copyright Office before the infringement, the copyright holder may be entitled to statutory damages between $750.00 and $150,000.00 per infringement. The copyright holder may also be entitled to attorney’s fees and costs. If the work is not registered before the infringement, the copyright holder is usually stuck having to prove the actual damages from the infringement. Whether or not the work was registered before the infringement, the copyright holder can also ask the court for an injunction to prevent the infringer from continuing to use the software.

    When a developer is ready to license her software, what should she look out for?

    • Register the software with the Copyright Office. As stated above, having the work registered opens the door to remedies that do not require proof of damages. To make this even more attractive, it only costs $35.00 to register. There is no reason not to do this.
    • Ensure that your goals are met by the license. Whether you are using an open source license or a custom license, make sure that the terms that control the way your software is distributed are written in a way that actually accomplishes what YOU want to have happen with your software. Do not settle on a license because it is popular. Ensure that its terms meet the goals of your software project.
    • Consider a liquidated damages clause for covenants. Proving actual damages, especially with software licenses is extremely difficult to do. A liquidated damages clause can give a number to the actual damages in the case that one party breaches.
    • Prepare for if things go bad. You may want to disclaim any liability and warranties. You may also want to add a clause for attorney’s fees and costs. Also, you may want to add a choice of forum or arbitration clause to determine where or how any dispute would be handled.

    What if someone is breaching your license?

    • If you have not done so already, register your work with the Copyright Office. To bring a claim in federal court, the work must first be registered. Get that process started as soon as possible.
    • Consider alternate options. If you have not registered with the Copyright Office prior to the infringement, or if the infringer has no money, a federal lawsuit may not be worth it financially. However, the Digital Millennium Copyright Act (DMCA) may offer some cheaper alternatives. This act offers a takedown procedure that asks web hosts to remove infringing material. If they refuse, they can be held liable for infringement. If the infringing work is being distributed via the Internet, a DMCA takedown notice may be a viable alternative to prevent the infringer from continuing to distribute the work without breaking the bank.
    • Talk to an attorney. Every situation is unique. An attorney can help you understand your situation and what your rights and options are.

    If you or your company need help writing or enforcing a software license, contact us at Smith & Associates.

    Software Audit Demand from the BSA

    Recently, radio stations have started playing advertisements informing the listener that if they report software piracy at their place of work, they could receive a reward. While I do not condone software piracy, the Business Software Alliance (BSA), the company running the ads, along with the Software and Information Industry Association (SIIA) use very heavy-handed tactics when dealing with potential pirates. So what should you do if your company receives an audit request from the BSA, SIIA, or some other software company?

    • Don’t Ignore It – While it may be a valid strategy to ignore some demand letters, it is not the case with these audit requests. These companies will follow through with court cases. This can increase the costs of defense and possibly limit your options for the future.
    • Retain an Attorney – The BSA and SIIA have attorneys working for them with the goal of maximizing the payments made by potential infringers. You need an attorney working for you. An attorney can help ensure that the audit cannot be used against you in court and help you keep certain knowledge confidential. An attorney can help explain the copyright infringement laws – which don’t always agree with what the BSA and SIAA believe constitute copyright infringement. If infringing software is discovered, an attorney can also help you with negotiating the settlement agreement, ensuring that BSA and SIIA cannot publish your infringements publicly and the terms of any re-audit.
    • Don’t Buy New Licenses – Once you receive the audit demand, you may feel the need to go out and buy licenses for any non-licensed software. This will not fix the problem and will most likely just end up being a waste of money. The BSA/SIAA will look at the install date and the purchase date to ensure that the software was licensed for the entire time it was installed.
    • Don’t delete infringing software – Destroying evidence is never a good idea. This can lead to a presumption of infringement and possibly sanctions. This along with the fact that computer experts can recover deleted information makes deleting the infringing software a bad idea.

    If you or your company have received a letter from the BSA, SIAA, or any other software company demanding an audit, contact us at Smith & Associates. The BSA/SIAA will use attorneys against you – don’t go it alone.